CVSS: 8.6EPSS: 0%CPEs: 3EXPL: 0CVE-2023-32194 – Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core'
https://notcve.org/view.php?id=CVE-2023-32194
16 Oct 2024 — A vulnerability has been identified when granting a create or * global role for a resource type of "namespaces"; no matter the API group, the subject will receive * permissions for core namespaces. This can lead to someone being capable of accessing, creating, updating, or deleting a namespace in the project. Se ha identificado una vulnerabilidad al otorgar un rol de creación o * global para un tipo de recurso de "espacios de nombres"; sin importar el grupo de API, el sujeto recibirá * permisos para espacio... • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32194 • CWE-269: Improper Privilege Management •
CVSS: 8.4EPSS: 1%CPEs: 3EXPL: 0CVE-2023-22649 – Rancher 'Audit Log' leaks sensitive information
https://notcve.org/view.php?id=CVE-2023-22649
16 Oct 2024 — A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log) is an opt-in feature, only deployments that have it enabled and have [AUDIT_LEVEL](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#audit-log-levels) set to `1 or above` are impacted by this issue. Se ha identificado una vulnerabilidad... • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22649 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-10676
https://notcve.org/view.php?id=CVE-2020-10676
12 Dec 2023 — In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move that namespace to a different project. En Rancher 2.x anterior a 2.6.13 y 2.7.x anterior a 2.7.4, una verificación de autorización aplicada incorrectamente permite a los usuarios que tienen cierto acceso a un espacio de nombres mover ese espacio de nombres a un proyecto diferente. • https://forums.rancher.com/c/announcements • CWE-863: Incorrect Authorization •
CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43760
https://notcve.org/view.php?id=CVE-2022-43760
01 Jun 2023 — An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is executed within another user's browser, allowing the attacker to steal sensitive information, manipulate web content, or perform other malicious activities on behalf of the victims. This could result in a user with write access to the affected areas being able to act on behalf of an administrator, once an administrator o... • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22647
https://notcve.org/view.php?id=CVE-2023-22647
01 Jun 2023 — An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the local cluster. This issue affects Rancher: from >= 2.6.0 before < ... • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22647 • CWE-267: Privilege Defined With Unsafe Actions CWE-269: Improper Privilege Management •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22651
https://notcve.org/view.php?id=CVE-2023-22651
04 May 2023 — Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. The issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected. Improper Privilege Managem... • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22651 • CWE-269: Improper Privilege Management CWE-276: Incorrect Default Permissions •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43755 – Rancher: Non-random authentication token
https://notcve.org/view.php?id=CVE-2022-43755
07 Feb 2023 — A Insufficient Entropy vulnerability in SUSE Rancher allows attackers that gained knowledge of the cattle-token to continue abusing this even after the token was renewed. This issue affects: SUSE Rancher Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. • https://bugzilla.suse.com/show_bug.cgi?id=1205297 • CWE-331: Insufficient Entropy •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-21953 – Authenticated user can gain unauthorized shell pod and kubectl access in the local cluster
https://notcve.org/view.php?id=CVE-2022-21953
07 Feb 2023 — A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. • https://bugzilla.suse.com/show_bug.cgi?id=1199731 • CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 1CVE-2022-43757 – Rancher: Exposure of sensitive fields
https://notcve.org/view.php?id=CVE-2022-43757
07 Feb 2023 — A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows users on managed clusters to gain access to credentials. The impact depends on the credentials exposed This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. • https://bugzilla.suse.com/show_bug.cgi?id=1205295 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 8.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-43758 – Rancher: Command injection in Git package
https://notcve.org/view.php?id=CVE-2022-43758
07 Feb 2023 — A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SUSE Rancher allows code execution for user with the ability to add an untrusted Helm catalog or modifying the URL configuration used to download KDM (only admin users by default) This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. • https://bugzilla.suse.com/show_bug.cgi?id=1205294 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •